Call to ban sale of IoT toys with proven security flaws

Ahead of 2017’s present buying season, UK consumer rights group Which? has warned parents about the risks of giving connected toys to their children, and called for devices with known security and/or privacy risks to be banned from sale on kids safety grounds.

Working with security researchers the group has spent the past 12 months investigating several popular Bluetooth or wi-fi toys that are on sale at major retailers, and says it found “concerning vulnerabilities” in several devices that could “enable anyone to effectively talk to a child through their toy”.

It’s published specific findings on four of the toys it looked at: Namely the Furby Connect; I-Que Intelligent Robot; Toy-fi Teddy; and CloudPets cuddly toy.

The latter toy drew major criticism from security experts in February when it was discovered that its maker had stored thousands of unencrypted voice recordings of kids and parents using the toy in a publicly accessible online database — with no authentication required to access the data. (Data was subsequently deleted and ransomed.)

Which? says in all cases it was found to be far too easy for someone to illicitly pair their own device to the toys and use the tech to talk to a child. It especially highlights Bluetooth connections not having been properly secured — noting for example there was no requirement for a user to enter a password, PIN code or any other authentication to gain access.

“That person would need hardly any technical know-how to ‘hack’ your child’s toy,” it writes. “Bluetooth has a range limit, usually 10 meters, so the immediate concern would be someone with malicious intentions nearby. However, there are methods for extending Bluetooth range, and it’s possible someone could set up a mobile system in a vehicle to trawl the streets hunting for unsecured toys.”

In the case of the Furby, Which?’s external security researchers also thought it would be possible for someone to re-engineer its firmware to turn the toy into a listening device due to a vulnerability they found in the toy’s design (which it’s not publicly disclosing).

Although they were not themselves able to do this during the time they had for the investigation.

Which? describes its findings as “the tip of a very worrying iceberg” — also flagging other concerns raised over kids’ IoT devices from several European regulatory bodies.

Last month, for example, the Norwegian Consumer Council warned over similar security and privacy concerns pertaining to kids’ smartwatches.

This summer the FBI also issued a consumer notice warning that IoT toys “could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed”.

“You wouldn’t let a young child play with a smartphone unsupervised and our investigation shows parents need to apply the same level of caution if considering giving a child a connected toy,” said Alex Neill, Which? MD of home products and services in a statement.

“While there is no denying the huge benefits these devices can bring to our daily lives, safety and security should be the absolute priority. If that can’t be guaranteed, then the products should not be sold.”